For those of you who thought the GDPR was already overly complex (and judging by a recent survey* that could be one reason why over 50% of businesses still haven’t completed their compliance documentation) it could be about to become even more difficult when we leave the EU.
Deal or No Deal
What happens to data protection after 29th March?
The 2018 Data Protection Act and UK GDPR will apply. If we exit with a deal, existing arrangements are likely to persist throughout the “implementation period”, so if there are any changes, we will have time and notice to take care of them.
However, if we exit with no deal, we need to consider the implications of data transfers to and from EU. Personal data flowing from UK to EU/EEA will probably remain compliant from a GDPR point of view. However, for data flowing the other way around, (for example a European company operating in UK or having a UK subsidiary transferring data from Europe to UK), significant additional safeguards will need to be implemented.
A no deal situation would result in UK being categorised by EU as a 3rd Country, meaning it no longer has “adequate” data security standards as far as EU GDPR is concerned. The GDPR places restrictions on the movement of data under these circumstances (known as “restricted transfers”) and great care must be taken to establish the lawful bases for processing data in this way. The GDPR refers to a number of possible “appropriate safeguards” that may be adopted to make transfers legal, and separately eight possible exceptions that may apply.
This is a complex area, many organisations rely on “standard contractual clauses” between the data exporter and importer, which have been pre-approved by the regulators and specify security standards which protect the rights and freedoms of individuals. Larger, multi-national type organisations may also have Binding Corporate Rules in place to cover this. However, given the inherent complexity of these circumstances, it would be wise to obtain professional/ legal advice if personal data are transferred from Europe to UK post Brexit.
But doesn’t the UK already have the appropriate standards?
Yes! Given the UK (as part of EU) currently enjoys that status, it is likely that, over time, the UK will attain acceptance of adequacy from the European Commission. However, it has been reported that the UK cannot apply for this status until it has actually exited; and, although the EU has indicated it would consider the application quickly, no timeframe has been published and the decision would not be without detailed review. So, although these complications may only be temporary, they would need proper consideration and explicit action to ensure continued lawful processing of personal data.
What about businesses that don’t deal in Europe?
If you are only based in the UK and only offer goods and services in the UK, then there is likely to be little change; in practical terms, it would be wise to review your legal bases for processing to make sure they still apply and review your privacy notices to ensure they accurately reflect how and where you process and store personal data.
Brexit is not another excuse to put off compliance
Remember, regardless of the outcome of the impending Brexit situation, all UK businesses, including SMBs, will need to ensure they continue to comply with current UK data protection laws and, importantly, be able to demonstrate their understanding and compliance with the legislation.
Those that have not completed (or even started) their GDPR compliance cannot use Brexit as an excuse. There are a number of GDPR companies offering practical and affordable options for SMBs who need a little help, in addition a multitude of self-help resources are available for those adopting the DIY approach. Whatever your situation, GDPR should still be high on your agenda and the uncertainties over Brexit should not distract you.
*International Association of Privacy Professionals (IAPP) survey in December 2018, less than half of respondents said they are fully compliant with GDPR (Dec 18).